Bug#802159: Bug#765639: Bug#802159: New OpenSSL upstream version
On Sun, 2015-12-06 at 11:46 +0100, Moritz Mühlenhoff wrote:
> Personally I'm in favour of following the openssl point updates and I'd
Noted, thanks for the input.
> like to add an additional data point to the discussion:
> CVE-2015-3196 was already fixed as a plain bugfix in an earlier point
> release, but the security impact was only noticed later on, so following
> the point updates would have fixed this bug five months ago.
In isolation, that's an argument for accepting new upstream versions of
most packages into stable, as there'll always be bugs for which the full
impact may not be immediately apparent.